目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1310

100%
请我们喝杯咖啡

CWE-307 过多认证尝试的限制不恰当 类漏洞列表 344

CWE-307 过多认证尝试的限制不恰当 类弱点 344 条 CVE 漏洞汇总,含 AI 中文分析。

CWE-307 属于身份验证缺陷,指系统未有效限制短时间内过多的认证失败尝试。攻击者常利用此漏洞进行暴力破解或字典攻击,通过高频尝试猜测凭证以获取未授权访问。开发者应实施账户锁定机制、引入验证码挑战或设置动态速率限制,从而在保障用户体验的同时,显著增加自动化攻击的难度与成本,确保系统安全性。

MITRE CWE 官方描述
CWE:CWE-307 过度身份验证尝试的限制不当 英文:产品未实施足够的措施来防止在短时间内发生多次失败的身份验证尝试。
常见影响 (1)
Access ControlBypass Protection Mechanism
An attacker could perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to the targeted account using a brute force attack.
缓解措施 (2)
Architecture and DesignCommon protection mechanisms include: Disconnecting the user after a small number of failed attempts Implementing a timeout Locking out a targeted account Requiring a computational task on the user's part.
Architecture and DesignUse a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
代码示例 (2)
In January 2009, an attacker was able to gain administrator access to a Twitter server because the server did not restrict the number of login attempts [REF-236]. The attacker targeted a member of Twitter's support team and was able to successfully guess the member's password using a brute force attack by guessing a large number of common words. After gaining access as the member of the support st…
The following code, extracted from a servlet's doPost() method, performs an authentication lookup every time the servlet is invoked.
String username = request.getParameter("username"); String password = request.getParameter("password"); int authResult = authenticateUser(username, password);
Bad · Java
CVE ID标题CVSS风险等级Published
CVE-2026-10216 DroidClaw Claim 端点配对.ts 过度认证漏洞 — droidclaw 3.7 Low2026-06-01
CVE-2026-45364 Better Auth 安全漏洞 — better-auth 7.3 High2026-05-28
CVE-2026-35675 phpMyFAQ 安全漏洞 — phpMyFAQ 8.2 High2026-05-28
CVE-2026-8760 WordPress plugin Login with OTP 安全漏洞 — Login with OTP 9.8 Critical2026-05-27
CVE-2026-1816 TEİAŞ Mobile Application 安全漏洞 — Mobile Application 6.3 Medium2026-05-21
CVE-2020-37228 Yerootech iDS6 DSSPro Digital Signage System 安全漏洞 — iDS6 DSSPro Digital Signage System 9.8 Critical2026-05-16
CVE-2026-45010 phpMyFAQ 安全漏洞 — phpmyfaq 9.1 Critical2026-05-15
CVE-2025-64526 Strapi 安全漏洞 — strapi--2026-05-14
CVE-2025-62313 HCL AION 安全漏洞 — AION 5.4 Medium2026-05-14
CVE-2026-44195 Deciso OPNsense 安全漏洞 — core 5.3 Medium2026-05-13
CVE-2026-7255 Zyxel WRE6505 安全漏洞 — WRE6505 v2 firmware 6.5 Medium2026-05-12
CVE-2026-43914 Vaultwarden 安全漏洞 — vaultwarden 7.3 High2026-05-11
CVE-2026-41893 Signal K Server 安全漏洞 — signalk-server 9.1 -2026-05-09
CVE-2025-2514 Hitachi Virtual Storage Platform和Hitachi Virtual Storage Platform One Block 安全漏洞 — Hitachi Virtual Storage Platform G130, G150, G350, G370, G700, G900, F350, F370, F700, F900 5.3 Medium2026-05-07
CVE-2023-54347 OpenEMR 安全漏洞 — OpenEMR 7.5 High2026-05-05
CVE-2026-7671 CodeWise Tornet Scooter Mobile App 安全漏洞 — Tornet Scooter Mobile App 3.7 Low2026-05-02
CVE-2026-26206 Wazuh 安全漏洞 — wazuh 6.5 Medium2026-04-29
CVE-2026-6947 D-Link DWM-222W USB Wi-Fi Adapter 安全漏洞 — DWM-222W 7.5 High2026-04-24
CVE-2026-41213 @node-oauth/oauth2-server 安全漏洞 — node-oauth2-server 5.9 Medium2026-04-23
CVE-2026-40586 blueprintUE self-hosted edition 安全漏洞 — blueprintue-self-hosted-edition 7.5 High2026-04-21
CVE-2025-14362 Fortra GoAnywhere MFT 安全漏洞 — GoAnywhere MFT 7.3 High2026-04-21
CVE-2026-41037 Quantum Networks router 安全漏洞 — Router QN-I-470 8.8AIHighAI2026-04-21
CVE-2026-40485 ChurchCRM 安全漏洞 — CRM 5.3 Medium2026-04-17
CVE-2025-46606 Dell PowerProtect Data Domain 安全漏洞 — PowerProtect Data Domain 6.2 Medium2026-04-17
CVE-2026-22616 Eaton Intelligent Power Protector 安全漏洞 — IPP Software 6.5 Medium2026-04-16
CVE-2026-33667 OpenProject 安全漏洞 — openproject 7.4 High2026-04-15
CVE-2026-2402 Schneider Electric PowerChute Serial Shutdown 安全漏洞 — PowerChute™ Serial Shutdown 9.8 -2026-04-14
CVE-2025-31991 HCL DevOps Velocity 安全漏洞 — Velocity 6.8 Medium2026-04-13
CVE-2026-35597 Vikunja 安全漏洞 — vikunja 5.9 Medium2026-04-10
CVE-2026-35646 OpenClaw 安全漏洞 — OpenClaw 4.8 Medium2026-04-09

CWE-307(过多认证尝试的限制不恰当) 是常见的弱点类别,本平台收录该类弱点关联的 344 条 CVE 漏洞。